a conceptual framework for online internal controlsjitm.ubalt.edu/xv3-4/article3.pdf · conceptual...

CONCEPTUAL FRAMEWORK FOR ONLINE INTERNAL CONTROLS

Journal of Information Technology Management Volume XV, Numbers 3-4, 2004 23

Journal of Information Technology Management

ISSN #1042-1319

A Publication of the Association of Management

A CONCEPTUAL FRAMEWORK FOR ONLINE INTERNAL

CONTROLS

ASHUTOSH DESHMUKH

PENNSYLVANIA STATE UNIVERSITY – [email protected]

ABSTRACT

The Internet and web based tools permeate almost every functional area of the business including supplier andcustomer relationships. The rise in business transactions over the networks is accompanied by explosion in various onlinecontrols. A profusion of online controls has created problems in understanding purposes and objectives of online internalcontrols. This paper presents conceptual approaches to the online controls to aid our understanding of controls on theInternet. First, COSO/AICPA framework is presented. The online internal controls are then classified according to thisframework. This classification is useful to accountants and auditors in understanding the purposes of online controls. Next, aconceptual framework was developed based on the objectives of online internal controls, which is useful for managers. Theobjectives of internal controls were stated as validity of transactions, mutual authentication of identity, authorization, dataintegrity and confidentiality, non-repudiation, and auditability of transactions. This framework enables us to ask intelligentquestions regarding internal controls even in the absence of full technical understanding of those controls.

Keywords: internal controls, security policies, online systems controls, security.

INTRODUCTION

The Internet and web have been firmlyentrenched in today’s business practices. The Internetand web based tools permeate almost every functionalarea of the business including supplier and customerrelationships. Add to that a unique mixture of disparatetechnologies, networks, and computing systems; andpeople collaborating, perhaps from across the globe, whomay not have ever met face-to-face. These factors makesecurity a prime concern for organizations that conductbusiness online [6]. Currently, there is a profusion ofonline controls, for example, digital signatures, digitalcertificates, encryption, security protocols, virtual privatenetworks, and so on [5]. However, a systematicconceptual approach to categorize these controls and

make them understandable to managers is conspicuouslyabsent.

The purpose of this paper is to provideframeworks for online controls using the auditingperspective of internal controls. First, this papercategorizes the online controls in the framework of COSO(Committee of Sponsoring Organizations) Report [9] andAICPA (American Institute of Certified Accountants)issued SAS (Statement on Auditing Standards) No.s 53and 78 [1,2]. Such a categorization is beneficial toaccountants and auditors. Next, a conceptual frameworkbased on the objectives of internal controls is presented.This approach is more managerial in nature and helpful tomanagers who are interested in understanding theobjectives behind online controls. These approaches arecomplementary and enable us to ask intelligent questionsregarding online internal controls even if we do not have afull technical understanding of the said controls.



INTERNAL CONTROLS AND COSO

FRAMEWORK

Internal controls are basically systems of checksand balances. The purpose is to keep the organizationmoving along the desired lines as per the wishes of theowners and to protect assets of the business. Internalcontrols have received attention from auditors, managers,accountants, fraud examiners, and legislatures. Internal

controls are also affected by changes in business andinformation technology. As such, the sophistication,scope, and interpretations of internal controls haveevolved over the years. However, internal controls do nothave a standard definition, standard objective, and asingle owner. There are two basic questions– What areinternal controls? What function do they serve? Theanswers to these questions, of course, depend on who isanswering the question.

Table 1: Perspectives on Internal Controls

ISACA

Definition:

The policies, procedures, practices, andorganizational structures are designed to providereasonable assurance that business objectives willbe achieved and that undesired events will beprevented or detected and corrected.

Components:

Planning and organizationAcquisition and implementationDelivery and supportMonitoring

Focus: Information Technology

IIA A system of internal controls is a set of processes,functions, activities, subsystems, and people whoare grouped together or consciously segregated toensure the effective achievement of objectives andgoals.

Components:

Control environmentManual and automated systemsControl procedures

Focus: Information Technology

COSO A process effected by an entity’s board ofdirectors, management, and other personnel,designed to provide reasonable assuranceregarding the achievement of objectives in thefollowing categories:

• Effectiveness and efficiency of operations

• Reliability of financial reporting

• Compliance with applicable laws andregulations

Components:

Control environmentRisk managementControl activitiesInformation and communicationMonitoring

Focus: Overall entity

AICPA A process effected by an entity’s board ofdirectors, management, and other personnel,designed to provide reasonable assuranceregarding the achievement of objectives in thefollowing categories:

• Reliability of financial reporting

• Effectiveness and efficiency of operations

• Compliance with applicable laws andregulations

Components:

Control environmentRisk managementControl activitiesInformation and communicationMonitoring

Focus: Financial Statements

Source: Colbert and Bowen [8]



The major US organizations that have articulatedconcepts of internal controls include ISACA (InformationSystems Audit and Control Association), IIA (Institute ofInternal Auditors), COSO, and AICPA [8]. These effortsare not independent but borrow from each other in anevolutionary spiral. Internal controls are viewed as anamalgam of business models, organizational processes,organizational procedures, people, and informationtechnology. These controls are used in safeguardingassets of the business, providing relevant and reliableinformation, promoting operational efficiency, andcomplying with managerial policies and procedures.

The responsibility for instituting and maintaininginternal controls rests with the management. In the real

world, involvement of various layers of management ininternal controls varies widely. Internal controls providereasonable not absolute assurance. Since internal controlsare subject to cost benefit analysis. All internal controlshave limitations such as collusion by personnel toovercome controls, override by the top management, andhuman error. Internal controls ideally should evolve intandem with the changing business conditions; thus theneed for continuous management monitoring.

Each organization defines components ofinternal controls differently, though there are number ofsimilarities. The components defined by COSO andadopted by the AICPA are comprehensive and are brieflydiscussed below in the context of online controls.

Control Environment

Risk Management

Control Activities

Information and

Communication

Monitoring

Security Policy

Security Policy

Security Policy

Security Policy

Organizational Mission/Culture

Legislative Influence

•Sarbanes-Oxley Act

•US Patriot Act

•Gramm-Leach-Bliley Act

•Foreign Corrupt Practices Act

•Passwords

•Firewalls

•Digital Signatures

•Digital Certificates

•Virtual Private Networks

•Anti-Intrusion Techniques

•Automated Software Tools

Perimeter Security

Message Content

Security

Infrastructure

Security

• Alerts

• Reports

• E-mail, Pager, Portals, Instant

Messages, etc.

•Automated Software Tools

•Automated Responses

•Inspection

•Observation

Figure 1: The COSO Framework and Online Controls

Control Environment

This is a foundation of internal controls since itdeals with the people aspect. Control environmentsignifies attitudes of people in-charge of the organizationtoward the controls. The tone set at the top soonpermeates the entire organization. As such; no system ofinternal controls is effective unless actively supported bythe top management. The different elements of controlenvironment are as follows:

o Management’s commitment to integrity andethics

o Management’s philosophy and operating styleo Complexity of the organizational structureo Oversight exercised by the board of directors,

audit committee, and internal auditorso Procedures for delegating authority and

responsibilityo Human resource policies and procedureso External influences such as the requirements of

Sarbanes-Oxley Act



Risk Management

All businesses face internal and external threats.Risk analysis involves analyzing these threats and takingproactive and reactive steps to mitigate risks. The stepsinvolved in the risk analysis are given below:

o Identify threats in the financial, operational, andstrategic areas

o Estimate risks involved in each threato Assess cost of loss due to the risk, that is, the

likelihood of occurrence of risk multiplied bypossible loss

o Manage risk by designing appropriate controlso Make sure that all controls undergo cost/benefit

analysis

The online equivalent of control environmentand risk management is Security Policy of theorganization. The security procedures and internalcontrols must embody the strategic, cultural, political, andtechnological aspects of an organization [11]. Securitypolicy is the place where these factors are integrated todevelop a comprehensive framework for security.Security policy contains goals and objectives of thesecurity system, defines overall purpose of the securitysystem, and provides direction for implementation of thesecurity system [12]. Security policy is generallydesigned for the entire information system, not only theonline component. However, the ensuing discussion

focuses on the online component of the security policy.The questions that are addressed by the security policycan be simplistically stated as follows.

• Who will use the system?

• What will be the rights and responsibilitiesof the users?

• How will the remote and local users accessthe system?

• When the system can be accessed?

• Who will decide and grant user rights?

• How the user activity is tracked andrecorded?

• What disciplinary actions will be taken forerrant users?

• What are the procedures for responding tosecurity breaches?

Designing security policy is a multi-disciplinaryprocess [7]. As the COSO report states, involvement ofthe top management is crucial. The senior managementknowledge, operational management knowledge,information technology knowledge, and financialknowledge is required to complete the assessmentrequired to design a security policy. The process isinterdisciplinary and iterative. The designed policy is notset in stone but changes as the organization changes andneed constant updating and maintenance.

Control Activities

These are policies and procedures that ensurethat the management’s directives are carried out. The fiveclasses of these policies and procedures are given below.

o Appropriate authorization of transactionso Separation of dutieso Proper design and usage of documents and

recordso Safeguarding of assets and records via adequate

access controlso Independent verification, for example, internal

and external audits

The online equivalent of control activities can bebroken down into three categories: perimeter security,message content security, and infrastructure security.Perimeter security involves protecting the perimeter of theorganizational network; however, defining perimeter ofthe organizational network is a tricky issue. Messagecontent security deals with the security of the messagestraveling over the Internet, intranet, and extranets.Finally, infrastructure security deals with protecting the

IT infrastructure of the organization.1 The controlactivities in the online world are carried out by controlssuch as passwords, firewalls, digital signatures, digitalcertificates, virtual private networks, and network anti-intrusion techniques.

Information and Communication

Internal controls should identify, capture,process, and report appropriate information, which maybe financial or operational. Security policy of theorganization deals with the information andcommunication issues. Security policy will delineate themethods of communications such as alerts, reports, e-mails, or pagers. The authority to whom such informationshould flow will also be specified in the Security policy.

1 Infrastructure security is a pervasive concern

and can include topics such disaster recovery planning.This paper focuses only on the online aspects of theinfrastructure security.



Monitoring

Internal controls should be evaluated,periodically or continuously, to assure that they arefunctioning as intended by the management. Themethods of evaluating internal controls depend on thetype of controls being evaluated, for example, evaluatingtone set at the top will be different from evaluatingseparation of duties. Monitoring in the onlineenvironment is generally carried out by the automatedsoftware tools and also to some extent by humaninspection and observation.

The theoretical framework advocated by COSOfits well to the controls on the Internet. This approachmaps each aspect of COSO framework to the onlinecontrols. Auditors and accountants who routinely useCOSO and AICPA frameworks to categorize internalcontrols can benefit by application of same framework toonline internal controls. Next, a conceptual frameworkthat evaluates online internal controls in terms of theirobjectives is presented.

CONCEPTUAL FRAMEWORK FOR

INTERNAL CONTROLS IN THE

ONLINE WORLD

OOOO

NNNN

LLLL

IIII

NNNN

EEEE

CCCC

OOOO

NNNN

TTTT

RRRR

OOOO

LLLL

SSSS

Legal

TechnicalHuman

Audit

Figure 2: Dimensions of Online Controls

As shown in Figure 2, internal controls have fourdimensions: technical, legal, human, and audit, which canoverlap at times. Technical dimension of controls, forexample, encryption has been often stressed in the controlliterature. The other dimensions such as audit and legalhave not received much attention. This paper uses thesefour dimensions to forge a conceptual framework for theonline controls.

The internal controls, no matter the exoticterminology, have standard objectives. The objectives of

online controls can be classified as validity oftransactions, mutual authentication of identity,authorization, end-to-end data integrity andconfidentiality, non-repudiation, and auditability oftransactions. These objectives encompass all fourdimensions of internal controls as articulated in previousparagraph, and are discussed in detail in the forthcomingparagraphs. These areas are not mutually exclusive but



provide us a way to conceptually organize and discussinternal controls in the online world.2

Validity of Transactions

The primary question in the online transactionsis the legal status of a transaction. The validity oftransactions over the Internet is a legal issue. UCC(Uniform Commercial Code) a primary federalcommercial law in the US, is accepted by every state, andgoverns the business transactions. There are numerousother commercial laws at the state level. Most of thesecommercial laws have been designed with paper-basedtransactions in mind. How do you interpret and applythese laws to the electronic transactions? This question isan important internal control issue. In general, existingcommercial laws apply to e-commerce transactions.However, e-commerce also raises few novel legal issuesthat are not addressed by the existing laws. These issuesin the online world can be stated as follows.

• Can you consider electronic records andpaper documents as equivalent?

• Can you enforce the online sale if thecustomer denies that he/she ever placed theorder?

• Are electronic agreements legally valid?

• What is the role of electronic signatures vis-à-vis pen and ink signatures?

There are three primary acts that govern theelectronic transactions [4]. The first two acts, UETA(Uniform Electronic Transactions Act) and UCITA(Uniform Computer Information Transactions Act), weredrafted by the National Conference of Commissioners onUniform State Laws in 1999. The third act E-SIGN(Electronic Signatures in Global and National CommerceAct) was passed by the Congress in 2000. UETAvalidates electronic signatures and establishes anequivalence of electronic documents and paper-baseddocuments. The majority of the states in the US haveadopted this act. UCITA is primarily aimed at computerinformation transactions and applies to computersoftware, digital databases, digital music, and digital

2 The relationship between Figure 1 and Figure 3

is complex. The objectives of internal controlsenumerated in Figure 3 cut across COSO framework. Forexample, the objective of data integrity andconfidentiality is applicable to risk management, controlactivities, and information and communication in theCOSO framework. This difference is due to the fact thatthe objectives in Figure 3 are specifically developed forcontrols whereas COSO framework is more general andapplicable to the entire organization.

storage devices such as CDs and DVDs. This act inessence provides a commercial contract code for digitalinformation transactions. The majority of the states in theUS have not adopted this law as some of the provisionshave been controversial. E-SIGN, on the other hand, is afederal statute that provides legal validity andenforceability to the electronic contracts and electronicsignatures,3 across the entire country.

Does that mean that these laws have resolved oure-commerce concerns? The answer is a qualified yes [3].These laws in general make electronic documents andpaper-based documents equivalent. The use of electronicsignatures now has a legal force of paper basedsignatures. The electronic contracts are now legallyenforceable. The electronic contracts can come in variousformats, for example, in case of intangible goods such assale of software (or rather licensing of software) there areClickwrap, Shrinkwrap, and Boxtop licenses. TheClickwrap licenses are clickable, the types you encounterwhen you are installing software and the agreement popsup and will not allow you to proceed until you click IAgree button. Shrinkwrap licenses apply to digitalproducts that are shrinkwraped and breaking theshrinkwrap indicates acceptance of the agreement.Boxtop licenses are generally enclosed in the boxes thatcontain the software or digital products. All of thesecontracts are enforceable. The courts have upheld thesecontracts as long as these agreements were consistent withthe general contract principles.

The primary concerns in these areas are draftingof electronic contracts, methods of acceptance, andcompliance with the letter and spirit of the law. The lawsalso shift the burden of proof to the corporation if thecustomer denies ever having ordered the goods. For sucha situation, the online corporation must establishelectronic controls that will enable tracing of each orderto a specific customer (refereed to as non-repudiation). Inthe B2C transactions, the standard controls may be askingthe customer for name, address, credit card number, andassigning password protected areas before the order isfinalized. UETA, UCITA, and E-SIGN have rationalizedconduct of the online transactions though this is anemerging legal area and not all questions are answered.Facts to be remembered as internal controls are designedfor online transactions.

3 E-SIGN defines electronic signature as an

electronic sound, symbol, or process, attached or logicallyassociated with the contract or other record and executedand adopted by a person with the intent to sign the record.This definition is broader than, but includes, digitalsignatures.




Mutual Authentication of Identity

Data Integrity and Confidentiality

Non-Repudiation

Auditability of Transactions

OOOO

NNNN

LLLL

IIII

NNNN

EEEE

CCCC

OOOO

NNNN

TTTT

RRRR

OOOO

LLLL

SSSS

Is it legal?

Do we know each other?

Did anybody tamper with you?

Did anybody see you?

You come from where?

Can we verify?

Do we have a record?

Authorization Can you do that?

Figure 3: A Conceptual Framework for Online Controls

The USA Patriot (Uniting and StrengtheningAmerica by Providing Appropriate Tools Required to

Intercept and Obstruct Terrorism) Act of 2001 hasspecific provisions to combat money laundering andfinancing of terrorist activities. This act is applicable tothe financial institutions; and also to entities such asbroker-dealers, insurance companies, credit unions,mutual funds, credit card companies, and money servicebureaus. The act will eventually apply even to travelagents and car dealers. Money laundering refers to fundsthat were illegally acquired, generally through criminalactivities, and then routed through a financial institutionto make it look legitimate. The act also adds funds thatare legitimately moving through the financial institutionsbut have ultimate purpose of financing illegal activity, tothe definition of money laundering. The act requiresfinancial institutions to detect, deter, and report all moneylaundering activities. The financial institutions need towatch financial transactions from money launderingperspective and should have compliance programs inplace. A non-compliance with the act may result insevere civil and criminal penalties, for example, eBay’sPayPal was charged with violating the provisions of USPatriot Act on March 31, 2003 by US Attorney’s office.The next day, eBay’s shares went down by $4 per share, a

total loss of approximately $1 billion in marketcapitalization [10].

Another important issue on the Internet isprivacy of customer information. Privacy has been animportant issue for a long time; though becomes evenmore urgent in the online world. The Internet enablescollecting, storing, analyzing, and selling of customerinformation very easy. Additionally, such informationcan be collected without the consumer’s knowledge orconsent. GLBA (Gramm-Leach-Bliley Act) deals withprivacy issues in the context of financial industry, banks,securities firms, and insurance companies. GLBAprovides guidelines for protecting customer and memberinformation. The objectives of GLBA are to ensuresecurity and confidentiality of the nonpublic personalinformation and to protect against destruction orunauthorized access of such personal information. GLBAdoes not provide specific guidance on how to achievethese objectives; it is left to the individual organizations.However, since GLBA deals with privacy and controlissues, it must be factored in while designing internalcontrols. A number of automated solutions have come tothe market to manage risks associated with compliance ofthese new laws.



.Finally, design of internal controls should also

cover auditing concerns. Internal controls in this areadeal with tracking, validating, recording, and maintainingaudit trails for online transactions. The storage of pasttransactions, backups for the storage, and easy access tothe disputed past transactions are some of the areas thatneed to be addressed in this regard.

Audit trail needs to be maintained for valid andinvalid transactions, especially if invalid transactionsindicate security violation or inappropriate user activity.audit trails for online transactions. The storage of pasttransactions, backups for the storage, and easy access tothe disputed past transactions are some of the areas thatneed to be addressed in this area. This is important due tothe ease with which electronic records can be erased andintrusion tracks or fraudulent activity can be covered.

The personnel who handle online auditing dutiesneed to be qualified, have clear responsibilities, andsupported by the management. Technical solutions areonly the first line of defense. Sarbanes-Oxley Act of2002 mandates documentation of internal controls overfinancial reporting by the management. If the networksare used for financial transactions, and that is the purposenetworks in business, then management needs properunderstanding of controls and should be able to assess theadequacy of documentation.

Mutual Authentication of identity

Authentication is a process of verifying identitiesof the transacting parties. It involves determiningwhether someone or something is, in fact, who or what itis declared to be. Authentication of identity has twofacets, one identity of the machines and identity of thehumans operating the machine.

Such authentication can be carried out by meansof static or dynamic passwords or PINs (personalidentification numbers), passwords or PINs and securitytokens, automatic callbacks, and biometric techniques.The use of digital certificates is also increasinglycommon. Establishing identity of a human at the end ofthe machine is primarily a matter of intra organizationalcontrols. It requires review of access controls andseparation of duties within the organization. The humanuser is identified by something the user knows, carries, orsomething about the user. These criteria includepasswords, ID cards, or biometric measures such asfingerprints.

Authorization

Authorization is the step after authentication.The machine and user are identified and are allowed

access to the computer system in the authentication phase.Then the authorization phase deals with granting rights tothe user to perform certain things. These rights definetypes of resources and actions allowed to the user, forexample, the user can read, write, or modify but cannotdelete files. The rights can be assigned via ACLs (AccessControl List).

Accounting, which may follow authorization,involves collecting statistics and usage information for aparticular user or class of users. This information is thenused for authorization control, billing, trend analysis,resource utilization, and capacity planning.


Data integrity refers to transfer of data withoutany modification, intentional or unintentional, in thetransit. Data confidentiality refers to inability of theunauthorized parties to access data. The standard controlsin this area include encryption, security algorithms, andcommunication protocols such as SSL (Secure SocketsLayer).

Non-repudiation

Non-repudiation refers to the proof that theelectronic document was sent by the sender and wasreceived by the receiver. The three aspects of non-repudiation are: non-repudiation of origin, non-repudiation of receipt, and non-repudiation of submission.Non-repudiation covers problem of the post facto denialof an electronic transaction by the transacting parties.First, it proves that the transaction took place and second,it establishes identity of the transacting parties. Thecontrols such as digital signatures and digital certificatesaddress non-repudiation.

Auditability of transactions

Auditability of transactions refers to theexistence of audit trail and the ability to verify pasttransactions. The transactions should be validated,controlled, and recorded properly. A log of users,resources used by the users, and various system functionsis also required for auditability. The audit trail problemscan be solved by maintaining backups, time stamps, andfile linkages.

The common online internal controls areclassified according to the elements of the framework inFigure 4. Security policy, being the intent of themanagement, forms the basis for employing variouscontrols. This classification helps in asking the right



questions. For example, internal control questions over e-mail can summarized as follows.

• How do you know that the e-mail is valid?

• How do you know e-mail came from theperson identified in the e-mail?

• How do you grant permissions for users ofe-mails to do e-mail related activities?

• How do you know e-mail was not altered inthe process?

• How do you know that nobody has seen thee-mail?

• How can we trace earlier e-mails?


Mutual Authentication of Identity


Non-Repudiation

Auditability of Transactions

Authorization

Security P

olicy

of th

e O

rganiza

tion

•Compliance with Laws

•Passwords



•Message Security Protocols

•Passwords

•Access Control Lists




•Encryption







•Audit Trails

•Backups

•Automated Data Collection Techniques

Figure 4: the conceptual framework and online controls

These questions do not need any technicalunderstanding of the internal controls for the Internet.The framework simply enables us to ask intelligent andlogical questions. These areas in the conceptualframework are not mutually exclusive and a controltechnique can perform several or more functions such asvalidity, authorization, and authentication at the sametime.

CONCLUSION

A profusion of online controls has createdproblems in understanding purposes and objectives ofonline internal controls. This paper presents conceptualapproaches to the online controls to aid our understandingof controls on the Internet. First, COSO/AICPA

framework is presented. The online internal controls arethen classified according to this framework. Thisclassification is useful to accountants and auditors inunderstanding the purposes of online controls.

Next, a conceptual framework was developedbased on the objectives of online internal controls. Theobjectives of internal controls were stated as validity oftransactions, mutual authentication of identity,authorization, data integrity and confidentiality, non-repudiation, and auditability of transactions. Thisframework enables us to ask intelligent questionsregarding internal controls even in the absence of fulltechnical understanding of the said controls.



REFERENCES

[1] American Institute of Certified Public Accountants.Statement on Auditing Standards No. 53, TheAuditor's Responsibility to Detect and ReportErrors and Irregularities, New York, NY, AICPA,1988.

[ 2] American Institute of Certified Public Accountants.Statement on Auditing Standards No. 78,

Consideration of Internal Control in a Financial

Statement Audit: An Amendment to SAS No. 55,

New York, NY, AICPA, 1996.[ 3] Baumer, D., Maffie, R., and Ward, A. “Cyberlaw

and E-Commerce: An Internal Audit Perspective,”Internal Auditing, November/December, Volume17, 2001, pp. 24-31.

[4] Bernstein, G. and Campbell, C. “ElectronicContracting: The Current State of the Law and BestPractices,” Intellectual Property & Technology LawJournal, September, Volume 14, 2002, pp. 1-11.

[5] Boncella, R. “Web Security for E-Commerce,”Communications of the Association of Information

Systems, Volume 4, November, 2000, pp. 1-43.[6] CERT Coordination Center. “CERT/CC Overview

Incident and Vulnerability Trends,” White Paper,Software Engineering Center, Carnegie MellonUniversity, Pittsburgh, PA 15213, 2002.

[7] CISCO. “Network Security Policy: Best PracticesWhite Paper,” White Paper, http://www.cisco.com/,2003.

[8] Colbert, J. and Bowen, P. “A Comparison ofInternal Controls: COBIT, SAC, COSO, and SAS55/78,”http://www.isaca.org/Content/ContentGroups/Bookstore6/Book_Reviews/A_Comparison_of_Internal_Controls_COBIT,_SAC,_COSO_and_SAS_55_78.htm, 2004.

[9] COSO (Committee of Sponsoring Organizations).Report of the National Commission on Fraudulent

Financial Reporting, National Commission onFraudulent Financial Reporting, 1987.

[10] Duh, R., Jamal, K., and Sunder, S. “Control andAssurance in E-Commerce: Privacy, Security, andIntegrity at eBay,” Taiwan Accounting Review,Volume 3, Number 1, October, 2002, pp. 1-27.

[11] Sun. “How to Develop a Network Security Policy:An Overview of Networking Site Security,” White

Paper, http://www.sun.com/software/whitepapers/,2003.

[12] Taylor, L. “Seven Elements of Highly EffectiveSecurity Policies,” http://www.zdnet.com/, 2002.

AUTHOR BIOGRAPHY

Ashutosh V. Deshmukh is Associate Professorof Accounting and Information Systems at thePennsylvania State University – Erie. His research andteaching interests are in accounting information systemsand auditing. He is the author of over 20 articles in theareas of accounting information systems and auditing. Hehas practical experience is in public and industrialaccounting. He is an Associate Editor for theInternational Journal of Accounting, Auditing, and

Performance Evaluation.

a conceptual framework for online internal controlsjitm.ubalt.edu/xv3-4/article3.pdf · conceptual...

Documents